jro-grafik - Fotolia

Fancy Bear ties to Kremlin strengthened with Ukraine military hack

Researchers found the Fancy Bear threat group used mobile malware to track the Ukraine military, lending more confidence to assertions the group is linked to the Russian government.

The threat group behind the hacks of the Democratic National Committee, Fancy Bear, was found using mobile malware to track the Ukraine military, leading many to confirm suspicions the group is sponsored by the Russian government.

CrowdStrike Intelligence analysts said they found Android malware infecting an app on Ukraine military devices that contained a variant of X-Agent, a remote access toolkit also used in the hack of the DNC.

"CrowdStrike associates the use of X-Agent with an actor we call Fancy Bear. This actor, to date, is the exclusive operator of the malware, and has continuously developed the platform for ongoing operations, which CrowdStrike assesses is likely tied to Russian military intelligence," Adam Meyers, vice president of intelligence at CrowdStrike, based in Irvine, Calif., wrote in a blog post. "The source code to this malware has not been observed in the public domain and appears to have been developed uniquely by Fancy Bear."

Timo Laaksonen, president of Finland-based F-Secure Corp., said on Twitter this was evidence the Kremlin was behind the DNC hacks.

CrowdStrike said the X-Agent variant was found in an app used by the Ukraine military, which "enabled artillery forces to more rapidly process targeting data for the Soviet-era D-30 howitzer." Fancy Bear distributed a trojanized version of the app to as many as 9,000 users.

"Successful deployment of the Fancy Bear malware within this application may have facilitated reconnaissance against Ukrainian troops," Meyers wrote. "The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them."

According to CrowdStrike, the use of this malware to track the Ukraine military "supports CrowdStrike's previous assessments that Fancy Bear is likely affiliated with the Russian military intelligence, and works closely with Russian military forces operating in eastern Ukraine and its border regions in Russia."

Many on Twitter said this report was proof that Fancy Bear is a threat group sponsored by the Russian government, which further strengthens suspicions that the Russian government was behind the DNC hack and attempts to influence the U.S. presidential election.

Andrei Soldatov, a Russian investigative journalist and Russian security services expert, agreed.

Next Steps

Learn more about the White House warning Russia about election hacking.

Find out why cyber attribution relies on human intelligence.

Get info on the White House considering proportional response to Russian hackers

Dig Deeper on Malware, virus, Trojan and spyware protection and removal